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Abstract 

The  behavior  of  systems  with  hard  real-time  constraints  can  be  specified  in  terms  of  Hierarchical 
Multi-State  (HMS)  abstract  machines,  which  are  generalizations  of  finite-state  automata.  In 
this  paper,  a  two-step  method  is  presented  for  verifying  that  safety  properties  are  not  violated  by 
an  HMS  specification  of  a  system.  In  the  first  step,  the  safety  verification  question  is  recast  as  a 
reachability  problem  in  an  extension  of  the  HMS  machine.  In  the  second  step,  reachability  is 
determined  by  the  use  of  correctness-preserving  and  partial  correctness-preserving  transforma¬ 
tions.  The  method  is  shown  to  be  complete,  and  it  is  illustrated  by  verifying  that  a  safety  property 
holds  for  a  simple  railroad-crossing  system  if  all  of  its  deadlines  are  met.  _ 

1.  Introduction 

Hierarchical  Multi-State  (HMS)  machines  are  a  type  of  automata  that  can  be  used  for  the 
specification  of  complex  real-time  systems  [Ga-88],  as  well  as  for  the  causal  modeling  of 
physical  systems  [Ga-87],  Key  features  of  HMS  machines  that  provide  a  means  for  dealing 
with  complexity  are  (i)  multiple  active  states,  (ii)  simultaneous  firing  of  multiple  transitions, 
(iii)  hierarchies,  (iv)  object-carrying  tokens,  and  (v)  non-deterministic  transitions  that  allow 
the  specification  of  entire  classes  of  related  systems.  Another  feature  of  HMS  machines  is  a 
special  language  for  defining  temporal  constraints  on  transitions. 

The  goal  of  this  paper  is  to  present  a  method  for  verifying  that  a  system,  as  specified  by  an 
HMS  machine,  does  not  violate  a  set  of  “safety  properties,”  which  are  requirements  that 
define  undesirable  situations  for  the  system.  The  method  first  represents  the  requirements 
as  new  states  in  the  HMS  machine,  thus  converting  a  problem  of  logical  satisfaction  into  a 
problem  of  state  unreachability.  Next,  transformations  are  applied  to  the  HMS  machine  that 
alter  its  structure,  while  maintaining  critical  aspects  of  its  behavior.  Verification  is  complete 
when  the  machine  has  been  transformed  into  one  for  which  unreachability  is  obvious  (e.g. , 
no  transitions  leading  into  the  given  state).  A  preliminary  and  informal  presentation  of  this 
method  appeared  in  [Ga-88],  where  it  was  used  to  prove  that  a  protocol  for  a  two-processor 
mutual  exclusion  protocol  is  collision-free. 

The  method  of  requirement  representation  outlined  above  is  analogous  to  the  representation 
of  propositional  logic  “facts”  in  Petri  Nets  (e.g.,  [Re-85]).  In  an  HMS  machine,  however, 
temporal  logic  “safety  properties”  [La-77],  including  properties  which  mandate  that  hard 
deadlines  are  met,  can  be  represented.  The  use  of  correctness-preserving  transformations 
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is  common  in  formal  software  development  [Pa-83],  and  rewrite  rules  are  a  standard  part  of 
the  syntactic  theories  of  deduction  and  computation  [Hu-85  j.  Transformations  on  classical 
finite-state  automata  are  also  common,  going  back  at  least  as  far  as  the  proof  of  the  equiva¬ 
lence  of  non-deterministic  and  deterministic  automata  [Ra-59].  The  modular  construction 
of  Petri  nets  through  stepwise  refinement  has  been  widely  explored  (beginning  with 
[Va-79],  and  more  recently  in  [Vo-89]).  Non-transformational  approaches  to  proving  that 
formal  specifications  meet  safety  requirements  include  the  construction  of  “refinement 
mappings”  [Ab-88],  the  discharging  of  “variance  and  invariance  proof  obligations” 
[Al-85],  and  the  construction  of  “computation  graphs”  [Ja-88]. 

In  Sections  2  of  this  paper,  the  structure  and  execution  of  HMS  machines  are  defined  for¬ 
mally.  In  Section  3,  the  concept  of  transformations  on  HMS  machines  is  introduced,  along 
with  a  specific  set  of  transformations  that  are  shown  to  be  complete  for  verification  pur¬ 
poses.  In  Section  4,  the  method  of  representing  safety  properties  as  extended  states  of  an 
HMS  machine  is  presented.  A  demonstration  of  the  proof  method  for  a  simple  railroad¬ 
crossing  system  with  hard  deadlines  is  presented  in  Section  5  (this  example  was  originally 
used  in  [Ja-88]).  The  summary  and  conclusions  appear  in  Section  6. 

2.  HMS  Machines 

As  noted  in  the  Introduction,  multiple  states  may  be  “active”  at  any  moment  and  many 
transitions  may  “fire”  simultaneously  in  an  HMS  machine.  The  states  of  an  HMS  machine 
may  be  organized  hierarchically,  although  hierarchies  will  not  be  considered  in  this  paper 
(see  [Ga-88]).  A  transition  can  fire  only  if  certain  logical  and  temporal  conditions  are 
satisfied.  If  its  states  correspond  to  the  relevant  facts  about  a  system,  and  its  transitions 
correspond  to  the  system  dynamics,  then  the  HMS  machine  constitutes  a  “specification”  of 
that  system.  Given  such  a  specification,  and  assuming  a  model  of  time  as  a  discrete,  linear 
and  unbounded  ordering,  the  “executions”  of  the  HMS  machine  correspond  to  the  possible 
behaviors  of  the  system. 

There  is  actually  a  succession  of  increasingly  p<  '•  t.  -:ul  classes  of  HMS  machines  that  can  be 
defined  by  varying  the  types  of  states  in  the  ma.  line  (e.g.,  by  introducing  “tokens”  into 
them).  In  this  paper,  we  will  consider  only  the  simplest  of  these  classes,  in  which  a  state  is 
either  marked  or  unmarked.  Thus,  the  class  of  machines  considered  in  this  paper  is  a 
variation  of  a  subclass  of  the  “HMS-0”  machines  of  [Ga-88],  where  informal  operational 
definitions  were  given.  The  more  formal  definitions  of  this  paper  are  key  ingredients  for 
proving  the  consistency  and  completeness  of  our  transformational  approach  to  verification. 

2.1.  Structure  of  HMS  Machines 

In  this  section,  the  definition  of  the  structure  of  HMS  machines  is  presented.  The  purpose  of 
the  various  components  of  an  HMS  machine  will  become  clear  when  the  execution  of  HMS 
machines  is  described  in  Section  2.2. 
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Informally,  an  HMS  machine  is  defined  as  a  set  of  states  (denoted  by  S),  together  with 
deterministic  and  non-deterministic  transitions  among  these  states  (denoted  rDand  Tn, 
respectively).  The  following  three  definitions  introduce  basic  concepts. 


Definition  1  ('Time  Expression):  t  is  a  “time  expression”  if  7  is  either  <ti,  t2>,  <ti,  t2>!,  or 
(t-j ,  t2 ] ,  where  ti  and  t2  are  integers,  with  ti  <  t2  <  0.  When  ti  =  t2  =  t,  these  three  time 
expressions  may  be  written  as  t,  t!,  and  t  respectively. 

Definition  2  (Control") :  c  is  a  “control”  over  S  if  t  is  a  time  expression  and  (a)  c  is  (s,  t)  or 
(-.s,  t),  for  some  state  s;  or  (b)  c  is  (id,  t)  or  (-.id,  t),  for  some  transition  label  id  (see 
Definition  3).  Controls  of  type  (a)  are  called  “state-based  controls,”  and  controls  of  type 
(b)  are  called  “transition-based”  controls. 

In  practice,  only  state-based  controls  are  necessary  for  system  specification.  The  transi¬ 
tion-based  controls,  which  were  not  a  part  of  HMS  definitions  in  [Ga-88],  greatly  simplify 
the  ideas  of  transformational  proofs  in  Section  3. 

Definition  3  (Transition!:  y  is  a  “transition”  over  S  if  y  is  of  the  form 

id:  (PRIMARIES)  (CONTROLS)  — >  (CONSEQUENTS) 

where  id  is  a  “label,”  PRIMARIES  is  a  (possibly  empty)  subset  of  S,  CONTROLS  is  a  (possi¬ 
bly  empty)  set  of  controls  over  S,  and  CONSEQUENTS  is  a  (possibly  empty)  subset  of  S. 
These  three  sets  will  be  denoted  PRIMSfy),  CTRLS(y)  and  CNSQSCy),  respectively. 

Definition  4  (HMS  Machine):  An  “HMS  machine”  is  a  triple  H  =  (S,  TD,  rN),  where  S  is  a 
set  of  states,  and  TD  and  TN  are  (possibly  empty)  sets  of  transitions  over  S.  H  is  “state-con- 
trolled”  if  its  transitions  use  only  state-based  controls. 

State-controlled  HMS  machines  are  equivalent  to  HMS-0  machines  of  (Ga-88]  without 
hierarchies,  special  states  (“initial,”  “final,”  and  “external”),  or  “future  delays.” 

These  definitions  can  be  illustrated  by  the  state-controlled  HMS  machine  of  Figure  1,  which 
defines  the  operation  of  a  user-controlled  mixer,  where 

S  =  {Switch-ON,  Switch-OFF,  MIXING,  IDLE} 

TD  =  {w:  (MIXING)  ((-.Switch-ON,  -1)  (MIXING,  [-10.  0]))  — >  (IDLE), 
x:  (IDLE)  ((Switch-ON,  -1)  (MIXING,  <-30,  0>))  — >  (MIXING)} 
rN  =  {y:  (Switch-ON)  (  )  — >  (Switch-OFF), 
z:  (Switch-OFF)  (  )  — >  (Switch-ON)}. 

In  the  graphic  notation  of  Figure  1,(1)  states  are  represented  as  boxes  (2)  transitions  are 
represented  as  dark  arrows  from  primaries  to  consequents,  and  (3)  controls  are  denoted  by 
thin  arrows.  Non-determinism  is  indicated  by  an  asterisk  at  the  head  of  a  transition  arrow, 
time  expressions  appear  next  to  the  symbol  (j) ,  and  negation  is  denoted  by  the  standard 
symbol  used  in  VLSI  design.  Transition  labels  such  as  w,  x,  y  and  z  are  normally  not  shown 
in  the  graphic  representation  of  HMS  machines. 
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Figure  1.  Mixer  HMS  Machine 


2.2.  Execution  of  HMS  Machines 

The  legal  execution  of  HMS  machines  is  described  in  this  section.  Informally,  a  machine 
executes  by  “firing”  some  of  its  transitions  at  each  moment,  which  alters  the  values  of  some 
or  all  of  the  primary  states  and  consequent  states  at  the  next  moment.  Starting  from  a 
description  of  initial  conditions,  an  execution  of  an  HMS  machine  is  determined  by  a  se¬ 
quence  of  sets  of  transitions,  indicating  what  happens  at  each  successive  moment.  Due  to 
the  non-deterministic  transitions,  there  may  be  a  large  set  of  possible  executions  for  a  given 
machine  under  given  initial  conditions.  As  noted  in  [Ga-88],  non-determinism  is  a  power¬ 
ful  tool  for  defining  a  “generic”  specification  for  an  entire  class  of  systems  that  can  be 
refined  using  methods  outlined  therein. 

We  begin  with  the  notion  of  “marking,”  which  defines  the  status  of  an  HMS  machine  at  the 
present  and  at  all  moments  in  the  infinite  past.  The  assumption  of  an  infinite  past  will 
simplify  later  definitions,  although  only  finite  histories  are  needed  in  practice. 

Definition  5  (Marking):  M  is  a  “marking”  of  an  HMS  machine  H  =  (S,  TD,  TN)  if  M  is  a 
mapping  from  (S  uTD  uTN)  x  {0,  -1,  -2,  ...}  to  {T,  F}.  If  M(s,  i)  =T  (F),  then  the  state  s  is 
said  to  be  “marked”  (“unmarked”)  or  “true”  (“false”)  at  time  i.  If  M(y,  i)  =  T  (F),  then  the 
transition  y  is  said  to  have  “fired”  (“not  fired”)  at  time  i. 

An  HMS  machine  is  “executable,”  in  the  sense  that  a  sequence  of  successive  markings  may 
be  generated  from  an  initial  marking.  At  any  moment  of  time,  some  transitions  of  an  HMS 
machine  will  be  “enabled.”  The  firing  of  all  enabled  deterministic  transitions  and  a  subset 
(possibly  empty)  of  enabled  non-deterministic  transitions  at  that  moment  yields  a  new 
marking  at  the  next  moment.  This  process  is  formalized  by  Definitions  6-10: 

Definition  6  (Control  Satisfaction):  The  control  c  is  “satisfied”  for  marking  M  if 

(i)  c  is  (x,  <ti,  t2>)  and  M(x,  t3)  =  T  for  some  t3  s.t.  ti  <  t3  <  t2- 

(ii)  c  is  (x,  [ti,  t2])  and  M(x,  t3)  =  T  for  every  t3  s.t.  ti  <  t3  <  t2- 

(iii)  c  is  (x,  <ti,  t2>!),  M(x,  t3)  =  T  for  some  ts  s.t.  ti  <  t3  <  t2,  and  M(x,  ti  -  1)  =  F. 
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(iv)  c  is  (-.x,  <ti,  t2>)  and  M(x,  t3)  =  F  for  some  t3  s.t.  ti  <  t3  <  t2- 

(v)  c  is  (->x,  [ti,  t2])  and  M(x,  t3)  =  F  for  every  t3  s.t.  ti  <  t3  <  t2- 

(vi)  c  is  (-.X,  <ti,  t2>!),  M(x,  t3)  =  F  for  some  t3  s.t.  ti  <  t3  <  t2,  and  M(x,  ti  -  1)  =  T. 

The  different  time  expressions  have  informal  names  that  are  consistent  with  the  definition 

of  control  satisfaction:  <ti,  t2>  is  called  a  “sometime-delay,”  [ti,  t2]  is  called  an  “always- 
delay,”  and  <ti,  t2>!  is  called  a  “sometime-change-delay.” 

Definition  7  (Transition  Enablement):  The  transition  y  is  “enabled”  for  marking  M  if  (1) 
M(s,  0)  =  T  for  all  s  in  PRIMS ("y),  and  (2)  c  is  satisfied  for  M  for  all  c  in  CTRLS(y). 

For  example,  in  the  HMS  machine  MIXER  from  Section  2.1,  the  transition  from  IDLE  to 
MIXING  is  enabled  if  (a)  IDLE  is  currently  true,  (b)  SWITCH-ON  was  true  at  the  previous 
moment,  and  (c)  MIXING  was  true  within  the  past  thirty  moments  (this  constraint  would  be 
consistent  with  a  model  of  a  cement  mixer,  for  which  mixing  would  become  impossible  after 
a  long  period  of  idling). 

For  convenience,  we  define  the  following  sets  for  H  =  (S,  TD,  TN),  and  marking  M: 

D-ENAB(H,  M)  =  {y  |  y  e  TD  and  y  enabled  for  M} 

N-ENAJB(H,  M)  =  (y  |  y  e  rN  and  y  enabled  for  M}. 

Definition  8  (Firing  Set):  The  set  of  transitions  T  is  a  “firing  set”  of  H  =  (S,  TD,  Tn)  for 
marking  M  if  T  =  D-ENAB(H,  M)  u  P,  where  P  C  N-ENAB(H,  M). 

Definition  9  (Next  Marking):  If  M  is  a  marking  of  an  HMS  machine  H,  and  if  T  is  a  firing  set 
of  H  for  M,  then  the  marking  “after  M  via  P’  is  denoted  by  M[T],  and  is  given  by 

M[T](s,  0)  =  T  for  every  state  s  in  CNSQS(T) 

M[T](s,  0)  =  F  for  every  state  s  in  PRIMS(r)  but  not  CNSQS(T) 

M[T](s,  0)  =  M(s,  0)  for  every  state  s  not  in  either  PRIMS(T)  or  CNSQS(T) 
M[T](y,  0)  =  T  for  every  transition  y  s  T 

M[TJ(y,  0)  =  F  for  every  transition  y  g  T 

M[r](x,  t)  =  M(x,  t  +  1)  for  every  xgSuTou  rN,  and  every  time  t  <  0. 

Definition  10  (HMS  Execution):  If  H  is  an  HMS  machine,  and  if  Mo  is  a  marking  of  H,  then 
an  “execution  of  H  from  Mo”  is  a  sequence  [Mo,  Mi,  M2,  ...]  of  markings  such  that  Mi+]  = 
Mi[r'[  for  some  firing  set  T1  of  H  for  M;,  for  each  i  >  0.  The  set  of  all  executions  of  H  from 
Mo  is  denoted  by  8(H,  Mo). 

For  example,  one  possible  marking  M  of  the  HMS  machine  MIXER  from  Section  2.1  is 

M(Switch-OFF,  i)  =  M(IDLE,  i)  =  T  for  all  i  <  0. 

M(Switch-ON,  i)  =  M(MIXING,  i)  =  F  for  all  i  <  0. 

M(w,  i)  =  M(x,  i)  =  M(y,  i)  =  M(z,  i)  =  F  for  all  i  <  0. 

The  marking  after  M  via  firing  set  {  z:  (Switch-OFF)  (  )  — >  (Switch-ON)  }  is  given  by 
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M[r](S\vitch-ON,  0)  =  T;  M[r](Switch-ON,  i)  =  F  for  all  i  <  0 

M[rj (Switch-OFF,  0)  =  F;  M[T](Switch-OFF,  i)  =  T  for  all  i  <  0 

M[r](IDLE,  i)  =  T  for  all  i  <  0;  M(MIXING,  i)  =  F  for  all  i  <  0 

M(z,  0)  =  T;  M(z,  i)  =  F  for  all  i  <  0;  M(w,  i)  =  M(x,  i)  =  M(y,  i)  =  F  for  all  i  <  0. 

3.  Transformations  on  HMS  Machines 

In  this  section,  we  define  local  transformations  on  HMS  machines  that  modify  the  structure 
of  a  machine  while  maintaining  significant  aspects  of  its  behavior.  The  repeated  application 
of  such  transformations  can  lead  to  a  machine  with  a  very  simple  structure,  for  which  the 
determination  of  a  desired  condition  is  trivial. 

In  Section  3.1,  both  “correctness-preserving”  and  “partial-correctness-preserving”  trans¬ 
formations  are  defined.  In  Section  3.2,  the  consistency  and  completeness  of  these  transfor¬ 
mations  is  demonstrated.  The  completeness  proof  is  constructive,  although  for  practical 
examples  a  more  judicious  choice  of  transformations  is  needed  to  make  the  process  man¬ 
ageable.  The  application  of  our  method  will  be  illustrated  in  Section  5  by  verifying  a  safety 
condition  for  a  railroad-crossing  system. 

3.1.  Definition  of  Transformations 

Before  formalizing  the  notion  of  correctness-preserving  transformation,  we  introduce  four 
preliminary  definitions.  Definition  11  describes  the  shifting  of  time  expressions  forward  or 
backward  in  time.  Every  control,  except  a  sometime-change  control,  has  a  complement, 
which  is  given  in  Definition  12.  The  1-invariants  of  Definition  13,  which  describe  an  un¬ 
changing  property  of  the  markings  of  a  subset  of  states,  are  analogous  to  S-invariants  from 
Petri  Net  Theory  [Re-85].  Finally,  Definition  14  introduces  the  notion  of  marking  consis¬ 
tency,  which  indicates  the  plausibility  of  the  past  history  of  an  HMS  machine. 

Definition  11  (Time  Expression  Shift!:  The  “shift  of  time  expression  t  by  d”  is  denoted 
shift(r,  d),  and  is  given  by  (a)  shift(<ti,  t2>,  d)  =  <ti  +  d,  t2  +  d>,  (b)  shift([ti,  t2],  d)  =  [ti  +  d, 
t2  +  d],  and  (c)  shift(<ti,  t2>!,  d)  =  <ti  +  d,  t2  +  d>!. 

Definition  12  (Control  Complement):  If  c  is  a  sometime-control  or  ahvays-control.  then  the 
“complement  of  c”  is  denoted  comp(c),  and  is  given  by  (a)  comp((x,  <ti,  t2>))  =  (->x,  [tp 
t2 ] ) ,  (b)  comp((-x,  <ti,  t2>))  =  (x,  [ti,  t2|),  (c)  comp((x,  [ti,  t2]))  =  (-.x,  <ti,  t2>),  and  (d) 
comp((--x,  [tt,  t2 1 ) )  =  (x,  <ti,  t2>).  It  follows  from  the  definition  of  control  satisfaction  that 
every  marking  satisfies  exactly  one  of  c  and  comp(c). 

Definition  13  fl-Invariance):  Let  H  =  (S,  TD,  TN).  Then  S’  C  S  is  a  “1-invariant  subset  of 
H”  if.  for  every  initial  marking  Mo  and  every  M  in  every  execution  in  8(H,  Mo), 

1 1 {s’  j  s’  e  S’  a  M0(s\  0)  =  T}j|  =  1  =»  ||{s*  |  s’  e  S’  A  M(s\  0)  =  T}||  =  1. 

Although  this  paper  will  not  consider  the  general  problem  of  1-invariant  discovery,  we  note 
one  simple  type:  when  the  transitions  into  and  out  of  states  in  S’  form  a  cycle.  Two  1 -invari¬ 
ants  of  this  type  will  be  needed  in  the  proof  of  the  example  in  Section  5.2. 
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Definition  14  (Consistent  Marking):  A  marking  M  of  an  HMS  machine  H  is  “consistent  to  k 
in  the  past”  if  there  is  a  marking  M*  of  H  such  that  M  is  the  (k+l)st  marking  in  some 
execution  of  H  from  M*.  M  is  “consistent”  if  it  is  consistent  to  k  in  the  past  for  all  k  >  0. 

We  now  introduce  four  basic  classes  of  correctness-preserving  transformations:  Delay 
Change  modifies  the  time  expression  of  a  control  of  a  transition;  Case  Split  divides  a  transi¬ 
tion  with  respect  to  mutually  exclusive  facts;  Control  Addition  augments  a  transition  with 
some  logical  consequence  of  its  existing  controls;  Transition  Deletion  removes  a  transition 
with  contradictory  controls.  One  member  of  each  transformation  class  is  presented  in  Fig¬ 
ure  2;  formal  definitions  of  four  or  five  members  of  each  class  follow. 
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Figure  2.  Examples  of  Correctness-Preserving  Transformations 
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Delay  Change: 

(1)  If  transition  7  has  control  c  =  (x,  <ti ,  t2>),  where  ti  <  t2,  split  7  into  two  transitions  71  and 
72  such  that  (a)  71  differs  from  7  only  in  that  c  is  replaced  by  ci  =  (x,  <ti,  t3>),  (b)  72  differs 
from  7  only  in  that  c  is  replaced  by  C2  =  (x,  <t3+l,  t2>),  and  (c)  ti  <  t3  <  t2- 

(2)  If  transition  7  has  control  c  =  (x,  [ti,  t2]),  where  ti  <  t2,  split  c  into  two  controls  ci  =  (x, 
[ti,  t3 1 )  and  C2  =  (x,  [t3+l,  t2]),  where  ti  <  t3  <  t2- 

(3)  If  transition  7  has  control  (-.s,  <ti,  t2>)  or  (-.s,  [ti,  t2]),  and  no  transition  has  primary  s, 
then  add  the  control  (->s,  [-co,  ti ]) . 

(4)  If  transition  7  has  control  (s,  <ti,  t2>)  or  (s,  [ti,  t2j),  and  no  transition  has  consequent  s, 
then  add  the  control  (s,  [-co,  ti]). 

Case  Split: 

(1)  Split  transition  7  into  two  transitions  71  and  72  such  that  control  c  is  added  to  71,  and 
control  comp(c)  is  added  to  72 

(2)  If  transition  7  has  control  c  =  (s,  <ti,  t2>!),  and  if  {7’  1 . 7’J  is  the  set  of  all  transitions 

with  consequent  s,  split  7  into  71,  yn,  where  7j  is  identical  to  7  except  that  it  has  the  two 
additional  controls  (y'i,<v\,  t2>)  and  (->s,  ti  -  1). 

(3)  If  transition  7  has  control  c  =  (-.s,  <ti,  t2>l),  and  if  (7’i . 7’n}  is  the  set  of  all  transitions 

with  primary  s,  split  7  into  71,  ...  yn,  where  7s  is  identical  to  7,  except  that  it  has  the  two 
additional  controls  (7’i,<ti,  t2>)  and  (s,  ti  -  1). 

(4)  If  transition  7  has  control  (7’,  <ti,  t2>),  s  is  a  primary  of  y\  and  {7’  1 ,  ....  7’n}  is  the  set  of 
all  transitions  with  consequent  s,  then  split  7  into  70,  71,  ...  7n,  where  (4s,  <ti,  t2>)  is  added  to 
70,  and  (7’i,<ti,  t2>)  is  added  to  7i  for  1  <  i  <  n. 

Control  Addition: 

(1)  If  transition  7  has  control  (7’,  t),  then  add  to  7 

(a)  (x,  shift(r’,  t-1)),  if  (x,  t’)  is  a  control  of  7’  and  r  =  t. 

(b)  (p,  shift(T,  -1)),  if  p  is  a  primary  of  7’. 

(c)  (x,  <t’i  +  ti  -  1,  t’2  +  t2  -  1>),  if  (x,  <t’i,  t’2>)  G  CTRLS(7’),  t  =  <ti,  t2>. 

(d)  (x,  <t’i  +  ti  -  1,  t’2  +  t2  -  ■>>!),  if  (x,  <t’i,  t’2>!)  G  CTRLS(7’),  t  =  <ti,  t2> 

(2)  If  transition  7  has  control  (7’,  <ti,  t2>),  and  if  s  is  a  consequent  of  7',  then  add  control  (s, 
<ti,  t2>)  to  7. 

(3)  If  transition  7  has  controls  (s,  t)  and  (-.s,  t’),  then  46  transformations  similar  to  the 
following  two  cases  can  be  defined: 

(a)  if  t  =  [ti,  t2],  t  =  [ti’,  t2*],  and  t2  <  ti’,  then  add  control  (-s,  <t2+l,  ti ’>!) 

(b)  if  r  =  [ti,  t2],  t’  =  <ti ’,  t2  >,  and  t2  <  ti’,  then  add  control  (->s,  <t2+l,  t2’>!). 

(4)  Add  any  control  that  reflects  a  1-invariant  (Definition  13),  e.g.,  if  transition  7  has  con¬ 
trol  (s,  r),  and  {s,  s’}  is  a  1-invariant,  then  control  (-.s’,  r)  can  be  added. 


-  8  - 


(5)  If  (p,  d)  e  CTRLS(y)  for  every  p  g  PRIMS(y’),  and  (x,  shift(r,  d))  g  CTRLS(y)  for  every 
(x,  r)  g  CTRLSky’)  for  some  deterministic  y’  and  d  <  0,  then  add  (y\  d+1)  to  y. 

Transition  Deletion:  Remove  transition  y,  if 

(I)  y  has  conflicting  controls  (e.g.,  (s,  [ti,  t2])  and  (->s,  <tt’,  t2’>),  ti  <  ti *  <  t2’  <  t2). 
(2^  y  has  control  (s,  <ti,  t2>!)  but  no  transition  has  s  as  a  consequent. 

(3)  y  has  control  (-.s,  <ti,  t2>!),  but  no  transition  has  s  as  a  primary. 

(4)  y  has  controls  that  conflict  with  some  1-invariant  (Definition  13). 

(5)  Some  y\  of  same  type,  with  same  PRIMS  and  CNSQS,  is  enabled  whenever  y  is. 

Note  that  Transition  Deletion  #1  and  Control  Addition  #3  are  special  cases  of  a  class  of 
rewrites  for  transitions  with  controls  with  the  same  state  (e.g.,  {(s,  [ti,  t2]),  (s,  [t3,  t4 ))}  =» 
{(s,  [ti.  t4 ] ) }  when  ti  <  t3  <  t2  <  t4)).  There  are  108  cases  in  this  class,  all  of  which  are 
straightforward  consequences  of  the  definition  of  control  satisfaction  (Definition  6). 

This  list  of  correctness-preserving  transformations  is  by  no  means  exhaustive.  However, 
the  eighteen  transformations  will  be  proven  to  be  both  consistent  and  complete  in  Section 
3.2.  making  them  an  adequate  tool  for  answering  the  type  of  requirement  satisfaction  prob¬ 
lems  that  will  be  introduced  in  Section  4. 

There  are  transformations  which  are  useful  in  constructing  proofs,  even  though  they  do  not 
preserve  all  possible  executions  of  an  HMS  machine  under  all  possible  initial  markings. 
One  such  “partial-correctness-preserving  transformation,”  called  “Delay  Sharpening,”  is 
illustrated  in  Figure  3,  and  is  formally  defined  as  follows: 

Delay  Sharpening.  If  transition  y  has  primaries  pi . pn  and  controls  ci . cm,  then  obtain 

yi . yn,  Yi' . y’m  from  y  by  adding  the  following  controls  to  copies  of  y: 

(a)  the  control  (pif  0!)  is  added  to  y, 

(b)  the  control  (x,  t!)  is  added  to  y’j  if  Cj  is  (x,  t). 

(c)  the  control  (x,  t2?)  is  added  to  y\  if  Cj  is  (x,  <ti,  t2>) 

(d)  the  controls  (x,  ti!)  and  (x,  [ti+1,  t2])  are  added  to  y’j  if  Cj  is  (x,  [ti,  t2]) 


Figure  3.  Partial-Correctness-Preserving  Transformation 
3.2.  Consistency  and  Completeness  of  Transformations 

The  proof  that  the  eighteen  correctness-preserving  transformations  cannot  affect  the  possi¬ 
ble  executions  of  an  HMS  machine  relies  on  the  following  Lemma.  To  state  the  lemma,  the 
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definition  of  the  restriction  of  a  marking  or  an  execution  is  needed: 

Definition  15  (Restriction):  Let  H  =  (S,  To,  rN),  let  'P  C  S  u  rD  u  PN,  and  let  E  =  [Mo,  Mi, 
...]  be  an  execution  in  g(H,  Mo).  Then  the  following  “restrictions”  can  be  defined: 

Mof'P  is  the  marking  function  Mq  restricted  to  'P  x  {0,  -1.  -2,  ...} 

Et'P  is  the  sequence  [Mof'P,  Mit'P,  •••] 
g(H,  M0)r^  is  the  set  {Ej'P  |  E  e  8(H,  M0)} 

Lemma  1  (Equivalent  Execution):  Let  H  =  (S,  TD,  Tn)  and  H’  =  (S,  T’d,  r’N),  and  let  M  and 
M’  be  markings  of  H  and  H’  such  that  MfS  =  M’fS.  Suppose  that,  for  any  enabled  transition 
"V  from  either  machine  and  of  either  type  (deterministic  or  non-deterministic),  there  is  an 
enabled  transition  y’  of  the  same  type  in  the  other  machine,  such  that  PRIMS(y)  =  PREMS(y’) 
and  CNSQSCy)  =  CNSQS(y’).  Then  S(H,  M)fS  =  e(H\  M’)tS. 

Proof  (sketch):  Suppose  that  V  =  D-ENAB(H,  M)  u  H  is  a  firing  set  of  H  w.r.t.  M,  where  T i 
c  N-ENAB(H,  M).  By  the  conditions  of  the  Lemma,  there  is  a  firing  set  F  =  D-ENAB(H\ 
M’)  u  T’i  suci.  that  PRIMS(r)  =  PRfMS(T’)  and  CNSQS(r)  =  CNSQS(r).  From  Definition 
9.  then,  we  have  that  M[r]fS  =  M’[r’]tS,  and  thus  g(H,  M)|S  c  g(H’,  M’)tS.  The  proof  of 
the  other  direction  is  identical.  □ 

Using  the  Equivalent  Execution  Lemma,  the  following  theorem  demonstrates  the  consis¬ 
tency  of  the  correctness-preserving  transformations,  in  the  sense  that  the  range  of  behavior 
of  any  transformed  HMS  machine  is  identical  to  that  of  the  original  HMS  machine. 

Theorem  1  (Transformation  Consistency):  Let  H  =  (S,  fD,  PN),  and  let  H’  be  derived  from  H 
by  one  application  of  a  Delay  Change,  Case  Split,  Control  Addition  or  Transition  Deletion 
transformation  from  Section  3.1.  Let  M  and  M’  be  markings  of  H  and  H’  such  that  M|S  = 
M’rS.  Then  g(H,  M)tS  =  g(H\  M’)tS. 

Proof  (sketch):  The  proof  will  be  given  for  one  case;  the  other  seventeen  cases  are  similar. 

Lety  be  a  transition  in  H  with  control  c  =  (s,  <ti,  t2>),  ti  <  t2,  and  let  H’  be  derived  from  H  by 
a  Delay  Change  #1  applied  to  y.  Then  H’  is  identical  to  H,  except  that  y  is  replaced  by  yi 
andy2,  where  yi  has  c  replaced  by  (s,  <ti,  t3>),  and  y2  has  c  replaced  by  (s,  <t3+l,  t2>),  ti  < 
t3  <  t2.  Let  M  and  M’  be  markings  of  H  and  H’  such  that  M|S  =  M’tS. 

Then,  M  satisfies  control  c  =  (s,  <ti,  t2>)  <=> 

M(s,  t‘)  =  T  for  some  t’  s.t.  ti  <  t’  <  t2  <=> 

M(s,  t’)  =  T  for  some  t’  s.t.  ti  <  t’  <  t3  or  M(s,  t’)  =  T  for  some  t’  s.t.  t3  <  t'  <  t2  «• 
M’(s,  t’)  =  T  for  some  t’  s.t.  ti  <  t’  <  t3  or  M’(s,  t’)  =  T  for  some  t’  s.t.  t3  <  i  <  t2  ~ 
M’  satisfies  control  ci  =  (s,  <ti,  t3>)  or  M’  satisfies  control  C2  =  (s,  <t3+l,  t2>) 

But  then  (M  satisfies  y)  •=>  (M’  satisfies  yi  or  M’  satisfies  y2).  Since  y,  yi  and  y2  have  the 
same  primaries  and  consequents,  and  are  all  of  the  same  type.  Lemma  1  implies  that  g(H. 
M)|S  =  g(H\  M’)tS.  □ 
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The  next  theorem  demonstrates  that  nine  of  the  eighteen  transformations  are  sufficient  to 
demonstrate  unreachability  in  any  HMS  machine  of  the  type  defined  in  Section  2: 

Theorem  2  (Transformation  Completeness^:  If  transition  y  is  not  enabled  in  any  consistent 
marking  of  HMS  machine  H,  then  y  can  be  deleted  by  performing  a  finite  sequence  of  Case 
Split  #1-4,  Control  Addition  #1,  2,  3  and  5,  and  Transition  Deletion  #1  transformations. 

Proof  (sketch! :  Let  -d  be  the  smallest  number  appearing  in  any  time  expression  of  any 

transition  in  H.  By  a  succession  of  Case  Splits  #1.  all  possible  executions  from  2  ,sl(d+1)mo- 
ments  ago  to  the  present  moment  can  be  represented  as  new  controls.  Then,  by  a  combina¬ 
tion  of  Control  Additions  #2  and  #3,  Case  Splits  #1,  #2,  #3  and  #4,  and  Transition  Deletions 

#1.  all  possible  markings  consistent  with  the  executions  from  2  |S|(d+1)moments  ago  to  the 
present  moment  can  be  represented.  Also,  by  a  combination  of  Control  Additions  #1  and 
#5.  all  necessary  preconditions  of  those  executions  can  be  represented.  For  each  resulting 
transition  y\  there  are  two  possibilities:  a  contradiction  exists  between  two  controls,  or  no 
contradiction  exists.  In  the  first  case,  a  Transition  Deletion  #1  removes  y' .  In  the  second 
case,  a  consistent  marking  M*  can  be  constructed  which  enables  y.  The  key  to  this  construc¬ 
tion  is  the  Pigeonhole  Principle,  which  guarantees  that,  in  a  marking  of  length  2  |S|(d+1>+i, 

there  must  be  two  moments  i  and  j,  with  -  2  fS|(d+1)<  i  <  j  <  0,  such  that  the  marking  of  all 
states  at  i+k  agrees  with  the  marking  of  all  states  at  j+k,  for  every  -d  <  k  <  0.  Then,  if  M* 
agrees  with  the  possible  marking  represented  ony'  from  i  to  0,  and  repeats  the  marking  from 
i  to  j  back  into  the  infinite  past,  it  can  be  shown  that  M*  is  consistent  and  that  it  enables  y, 
which  is  a  contradiction.  □ 

Although  this  proof  is  constructive,  the  number  of  steps  it  would  require  is  prohibitive. 
Stronger  proofs  probably  exist  that  would  give  a  smaller  bound  on  the  number  of  steps.  In 
practice,  however,  with  proper  selection  and  ordering  of  transformations,  the  complexity  of 
a  verification  is  manageable.  For  example,  the  proof  of  the  safety  of  the  railroad-crossing 
example  in  Section  5.2  requires  104  transformation  steps,  many  of  which  fall  into  simple 
and  natural  sequences  of  operations. 

Note  that  the  completeness  result  does  not  apply  to  the  problem  of  unreachability  with 
respect  to  properties  of  an  initial  marking.  However,  this  case  can  be  covered  whenever  the 
initial  cc  ''(.ions  are  representable  as  additional  controls  on  y. 

Althou  "  ic  Delay  Sharpening  transformation  does  not  maintain  complete  behavioral 
equivalence.  can  preserve  an  important  property  of  HMS  machines  —  “unreachability:” 

Definition  16  ('Unreachability):  If  H  =  (S,  rD,  Tn)  is  an  HMS  machine,  and  if  Mo  is  a  marking 
of  H.  then  a  state  s  in  S  is  “unreachable  from  Mo”  if  M(s,  0)  =  F  for  every  marking  M  in 
every  execution  in  s(H,  Mo). 

The  second  transformation  theorem  gives  the  conditions  under  which  a  Delay  Sharpening 
transformation  may  be  used  to  preserve  unreachability  in  an  HMS  machine: 


-it- 


Theorem  3  (Partial-Correctness  Transformation  Consistency):  Let  H’  =  (S,  T’d,  T’n)  be 
derived  from  H  =  (S,  TD,  Tn)  by  a  single  Delay  Sharpening  transformation  to  a  transition  y. 
Let  M  and  M'  be  markings  of  H  and  H’  respectively,  such  that  M|S  =  M’|S.  If  the  state  s  is 
unreachable  in  H’  from  M\  for  some  s  e  CNSQS(y),  then  s  is  unreachable  in  H  from  M. 

Proof  (sketch):  If  s  is  reachable  in  H  from  M  without  firing  y,  then  the  same  execution  is 
possible  for  H’  from  M\  Otherwise,  if  s  is  reachable  in  H  from  M,  then  y  must  be  fired,  and 
thus  y  must  be  enabled,  and  thus  y  must  be  enabled  for  a  first  time.  The  execution  of  H 
from  M  up  to  the  first  enablement  of  y  can  be  duplicated  in  H’  from  M’,  and  at  that  moment 
at  least  one  of  the  new  transitions  must  be  enabled.  □ 

4.  Representation  of  Requirements  in  HMS  Machines 

In  this  section,  a  method  will  be  presented  for  representing  system  requirements  as  new 
states  in  an  HMS  machine.  In  particular,  this  method  can  represent  “safety  properties,” 
which  say,  informally,  that  “something  bad  never  happens.”  These  requirements,  which 
include  hard  deadlines,  can  be  associated  with  new  states  of  an  HMS  machine,  so  that  the 
new  states  are  unreachable  if  and  only  if  the  requirements  are  guaranteed  to  hold.  It  is 
advantageous  to  have  system  requirements  given  in  the  same  HMS  machine  as  the  system 
specification,  because  it  reduces  a  logical  condition  (satisfaction)  to  an  execution  condition 
(reachability).  As  was  shown  in  Section  3,  correctness-preserving  transformations  can  an¬ 
swer  questions  of  unreachability,  and  hence  can  be  used  to  verify  that  a  system  specification 
meets  desired  safety  properties.  Lastly,  the  NP-completeness  of  reachability  for  HMS  ma¬ 
chines  is  proven,  suggesting  the  inherent  intractability  of  safety  verification. 

Before  defining  the  satisfaction  of  safety  requirements  on  the  states  of  an  HMS  machine,  the 
notion  of  a  state  literal  needs  to  be  defined: 

Definition  17  (State  Literal):  A  “state  literal”  is  either  a  state  or  the  negation  of  a  state.  The 
marking  M  “satisfies”  the  literal  1  (written  M  P-  1)  if  (a)  1  =  s  and  M(s,  0)  =  T.  or  (b)  1  =  -s  and 
M(s,  0)  =  F. 

The  next  two  definitions  indicate,  in  two  simple  cases,  when  a  safety  requirement  R  is 
satisfied  by  an  execution  E  (written  E  I—  R).  The  temporal  logic  operator  stands  for  “at 
the  present  moment,  and  at  all  future  moments:” 

Definition  18  (Simple  Safety  Property):  LetE=  [Mo,  Mi, ...]  be  an  execution  of  H,  and  let  1 1 , 
...,  [nbe  literals  of  H.  Then  “□  (li  v  ..  v  ln)”  is  a  “simple  safety  property  of  H,”  and  is 
“satisfied”  by  execution  E  if.  for  every  i  >  0,  there  is  an  lk  such  that  M(  1—  lk. 

Definition  19  (Simple  Deadline  Property):  Let  E  =  [Mo,  Mi,  ...]  be  an  execution  of  H,  let  1, 
li,  ....  ln be  literals  of  H,  and  let  d  >  0.  Then  “□(!  -*•  ((Ii  v  ..  v  In)  before  d))”  is  a  “simple 
deadline  property  of  H,”  and  is  “satisfied”  by  execution  E  if,  whenever  Ms  f-  1,  there  exists 
an  i\  i  <  i’  <  i+d,  and  there  exists  an  lk  such  that  M^  1-  lk. 

Notice  that  simple  safety  properties  and  simple  deadline  properties  are  both  “safety  proper¬ 
ties”  in  the  common  meaning  of  the  term  [La-77] .  They  are  distinguished  here  because  the 
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representation  within  an  HMS  machine  will  be  somewhat  different,  as  will  be  seen  in  the 
following  two  theorems  that  relate  satisfaction  to  unreachability: 

Theorem  4  (Simple  Safety):  Let  H  =  (S,  TD,  TN)  be  an  HMS  machine,  and  let  SAFE  be  a 
simple  safety  property  of  H:  D(li  v  ..  v  ln).  Then  there  is  an  HMS  machine  H’  =  (S  u  {s*}, 
TD  u  {7},  Tn)  such  that 

(a)  for  every  marking  M’  of  H’,  s(H\  M’)f(S  u  TD  u  TN)  =  s(H,  M’f(S  u  TD  u  TN)) 

(b)  for  every  marking  M’  of  H’  such  that  M’(s*,  0)  =  F, 

s*  unreachable  from  M’  «•  Ef(S  u  TD  u  TN)  SAFE  for  all  E  e  8(H’,  M’)- 

Proof  (sketch):  Add  to  H’  the  new  state  s’,  and  the  following  deterministic  transition  y: 

y:  (  )  ((-.li,  0)  ...  (--  ln,  0))  — >  (s*)  [where  ->  h=  Sj  whenever  ls  =-.  S;  ]. 

Property  (a)  holds,  since  y  has  no  primaries  or  consequents  in  S.  Property  (b)  holds  since  s* 
can  become  marked  if  and  only  if  y  can  become  enabled,  and  any  execution  leading  to  a 
marking  which  first  enables  y  will  fail  to  satisfy  SAFE.  □ 

Theorem  5  (Simple  Deadline):  Let  H  =  (S,  Tq,  T N)  be  an  HMS  machine,  and  let  PI  INF,  be  a 
simple  deadline  property  of  H:  □(!  -+  ((H  v  ..  v  ln)  before  d)).  Then  there  is  an  HMS 
machine  H’  =  (S  u  {s*},  Tq  u  {y},  Tn)  such  that 

(a)  for  every  marking  M’  of  H\  a(H\  M’)t(S  u  TD  u  TN)  =  e(H,  M’r(S  u  TD  u  TN)) 

(b)  for  every  marking  M’  of  H’  such  that  M’(s*,  0)  =  F, 

s*  unreachable  from  M’  «■  E|(S  u  TD  u  TN)  1-  DLINE  for  all  E  e  6(H’,  M’)- 

Proof  (sketch):  Add  to  H’  the  new  state  s*,  and  the  following  deterministic  transition  y: 

y:  (  )  ((1,  -d),  (Hi,  [-d,  0])  ...  (.  ln,  [-d,  0]))  ->  (s*) 

The  demonstration  that  (a)  and  (b)  hold  for  H’  follows  the  proof  of  Theorem  4.  □ 

Since  the  satisfaction  of  safety  properties  is  reducible  to  HMS  state  unreachability,  it  is 
worth  noting  that  the  HMS  state  reachability  problem  is  NP-complete.  The  proof  mimics  a 
proof  in  [De-88],  which  demonstrated  the  NP-completeness  of  certain  planning  problems. 

Theorem  6  fNP-Complete):  The  HMS  state  reachability  problem  is  NP-complete. 

Proof  (sketch):  Reachability  is  in  NP,  since  a  legal  firing  sequence  can  be  guessed  and 
checked  efficiently.  NP-hardness  follows  by  reduction  of  the  NP-complete  problem  3SAT, 
the  satisfiability  of  conjuncts  of  disjuncts  of  triples  of  literals  [Ga-79],  For  any  such  logical 
expression,  an  HMS  machine  can  be  constructed  which  (a)  non-deterministically  chooses  a 
valuation  for  all  atoms  in  the  first  clock  tick,  and  (b)  deterministically  evaluates  the  expres¬ 
sion  at  that  valuation  over  the  next  two  clock  ticks.  The  state  corresponding  to  the  truth  of 
the  expression  is  reachable  if  and  only  if  the  original  expression  is  satisfiable.  □ 

5.  Railroad-Crossing  Example 

This  section  illustrates  the  application  of  the  transformational  approach  of  this  paper  for 
verifying  safety  properties  of  real-time  systems  for  the  example  of  a  railroad-crossing  sys- 
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tem  adapted  from  [Ja— 88] .  Following  our  basic  approach,  the  proof  is  in  two  parts:  (1)  In 
Section  5.1,  we  represent  the  deadline-dependent  safety  property  associated  with  the  rail- 
road-crossing  system  using  new  states  in  its  HMS  specification,  following  the  method  of 
Section  4.  (2)  In  Section  5.2,  we  demonstrate  that  the  state  corresponding  to  the  key  safety 
property  is  unreachable,  using  the  transformational  method  of  Section  3. 

It  is  important  to  emphasize  that  our  approach,  unlike  the  method  used  in  [Ja— 88]  to  verify 
the  same  safety  property  is  not  a  mechanical  decision  procedure.  When  the  system  under 
consideration  is  complex,  there  may  be  no  practical  mechanical  procedure,  since  the  com¬ 
plexity  of  most  methods  grows  explosively  with  the  size  of  the  system.  In  contrast,  a  judi¬ 
cious  choice  of  transformations  can,  in  a  few  steps,  drastically  prune  a  problem  which  would 
otherwise  be  overwhelming.  Note  that  the  argument  for  heuristic  proof  methods  is  strength¬ 
ened  by  the  NP-completeness  result  of  Section  4. 

5.1.  Requirement  Representation  for  the  Railroad-Crossing  Example 

A  railroad-crossing  system  can  be  modeled  as  the  interactions  of  a  train  and  a  gate.  When 
the  train  nears  the  crossing,  a  signal  is  sent  to  the  gate  that  it  should  not  be  in  the  up  position, 
and  when  it  leaves  the  crossing  a  signal  is  sent  indicating  that  the  gate  can  be  up.  This 

system  is  specified  by  the  HMS  machine  RR  =  (S,  TD,  TN),  where 

S  =  {BEFORE-CROSS,  NEAR-CROSS,  IN-CROSS,  PAST-CROSS. 

Gate_Up=T,  Gate_Up=F,  MOVE-UP,  UP,  MOVE-DOWN,  DOWN} 

rD  =  {ti:  (MOVE-UP)  ((GateUp=F,  0))  — >  (MOVE-DOWN) 
t2:  (DOWN)  ((GateUp=T,  0))  — >  (MOVE-UP) 
t3:  (UP)  ((GateUp=F,  0))  — >  (MOVE-DOWN)} 

rN  =  {t4:  (BEFORE-CROSS)  (  )  — >  (NEAR-CROSS) 

t5:  (NEAR-CROSS)  ((NEAR-CROSS,  [-300,  0]))  — >  (IN-CROSS) 
t6:  (IN-CROSS)  (  )  — >  (PAST-CROSS) 

t7:  (PAST-CROSS)  ((PAST-CROSS,  [-100,  0]))  — >  (BEFORE-CROSS) 
tg:  (GateUp=T)  ((NEAR-CROSS,  0))  —  >  (Gate_Up=F) 
tg:  (GateUp=F)  ((PAST-CROSS,  0))  — >  (Gate_Up=T) 
ti0:  (MOVE-UP)  ((GateUp=T,  0))  — >  (UP) 
tn:  (MOVE-DOWN)  (  )  —  >  (DOWN)} 

The  first  four  states  of  RR  indicate  where  the  train  is  at  any  moment:  well  before  the 
crossing,  near  the  crossing,  in  the  crossing,  or  past  the  crossing.  The  last  four  states  indicate 
where  the  gate  is  at  any  moment:  on  its  way  up,  fully  up,  on  its  way  down,  or  fully  down. 
The  middle  two  states  indicate  the  signal  being  sent  to  the  gate:  the  gate  should  be  up.  or  the 
gate  should  not  be  up.  We  may  use  the  following  abbreviations  for  the  states:  {BC,  NC.  IC, 
PC.  GUT,  GUF,  MU,  UP,  MD,  DN}. 

This  system  has  the  following  three  deadline  properties  associated  with  it: 
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Deadline  1:  Transition  from  GUT  to  GUF  within  50  moments  of  NC  becoming  marked. 
Deadline  2:  Transition  from  GUF  to  GUT  within  50  moments  of  PC  becoming  marked. 
Deadline  3:  Transition  from  MD  to  DN  within  50  moments  of  MD  becoming  marked. 

As  shown  in  Theorem  5,  these  deadlines  can  be  represented  in  RR  by  adding  three  new 
states:  Missed-Deadlinel,  Missed-Deadline2,  and  Missed-Deadline3  (abbreviated  MDL1, 
MDL2,  MDL3)  together  with  the  following  three  deterministic  transitions: 

t12:  ( )  ((NEAR-CROSS,  -50),  (Gate_Up=T,  [-50,  0]))  — >  (MISSED-DEADLINE1) 
t13:  (  )  ((PAST-CROSS,  -50),  (Gate_Up=F,  [-50,  0[))  — >  (MISSED-DEADLINE2) 
1 1 4:  (  )  ((MOVE-DOWN,  [-50,  0]))  — >  (MISSED-DEADLINE3) 

Notice  that  a  deadline  is  missed  in  the  system  if  and  only  if  the  corresponding  state  in  the 
extended  HMS  machine  becomes  marked. 

There  is  also  an  important  non-deadline  safety  requirement  for  the  railroad-crossing  sys¬ 
tem:  the  crossing-arm  must  be  down  whenever  the  train  is  in  the  crossing: 

□  (-.IN-CROSS  v  DOWN) 

By  Theorem  4,  this  simple  safety  property  can  be  represented  by  adding  the  state  UNSAFE- 
CROSS  (abbreviated  UC),  together  with  the  following  deterministic  transition: 

1 1 5 :  ()  ((-.DOWN,  0),  (IN-CROSS,  0))  — >  (UNSAFE-CROSS) 

Lastly,  the  key  desirable  system  property  is  that  the  non-deadline  safety  requirement  above 
is  guaranteed  to  hold  if  no  deadlines  are  ever  violated: 

□  (-.UC  v  MDL1  v  MDL2  v  MDL3) 

This  simple  safety  property  can  now  be  represented  by  the  new  state  SYSTEM-FAILURE 
(abbreviated  SF),  together  with  the  following  deterministic  transition: 

1 1 6 (  )  ((UC,  0),  (-.MDL1,  0)  (-.MDL2,  0),  (-.MDL3,  0))  — >  (SYSTEM-FAILURE) 

The  extended  HMS  machine  RR  is  shown  graphically  in  Figure  4.  Transitions  with  no 
primaries  are  depicted  as  arrows  from  crossbars;  requirement  states  are  shaded  in  gray. 

5.2.  Transformational  Proof  of  the  Railroad-Crossing  Example  (sketch) 

The  HMS  machine  depicted  in  Figure  4  specifies  the  railroad-crossing  system  together  with 
timing  constraints  and  important  safety  properties.  If  the  state  SYSTEM-FAILURE  is 
shown  to  be  unreachable,  then  the  corresponding  safety  property  is  guaranteed  to  be  satis¬ 
fied.  In  fact,  the  state  can  be  proven  to  be  unreachable,  given  the  following  assumptions 
about  the  initial  marking  Mo:  (1)  exactly  one  of  {IC,  PC,  BC,  NC)  is  marked  by  Mo,  (2) 
exactly  one  of  (GUT,  GUF}  is  marked  by  Mo,  (3)  exactly  one  of  {MU,  UP,  MD,  DN}  is 
marked  by  Mo,  and  (4)  Mq  is  consistent  (Definition  14).  The  proof  makes  use  of  the  fact 
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that  {GUT,  GUF}  and  {IC,  PC,  BC,  NC}  are  both  1-invariants  of  RR,  which  follows  from  the 
cyclic  structure  of  transitions  into  and  out  of  those  states. 


I  SYSTEM 
FAIL¬ 
URE 
(SF) 


Figure  4.  Railroad  Crossing  with  System  Requirements 


Figure  5  presents  an  outline  of  the  main  steps  of  the  transformational  proof.  The  nodes  of 
this  tree  show  controls  on  significant  transitions  generated  in  the  course  of  the  proof,  and  the 
values  on  the  branches  give  the  number  of  transformations  from  one  node  to  the  next.  The 
proof  begins  by  applying  a  Delay  Sharpening  transformation  to  transition  tie: 

(  )  ((iMDLl,  0!)  (--MDL2,  0)  (-MDL3,  0)  (UC,  0))  — >  (SF) 

(  )  ((-MDL1,  0)  GMDL2,  0!)  (-MDL3,  0)  (UC.  0))  — >  (SF) 

(  )  ((-MDL1,  0)  (nMDL2,  0)  GMDL3,  0!)  (UC,  0))  — >  (SF) 

(  )  ((-MDL1,  0)  (-MDL2,  0)  (-.MDL3,  0)  (UC,  0!))  — >  (SF) 
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The  first  three  transitions  are  then  removed  (using  Transition  Deletion  #3),  since  no  transi¬ 
tion  has  a  deadline  state  as  a  primary.  Case  Split  #2  is  applied  to  the  fourth  transition  to  add 
controls  (ti  5,  0)  and  (->UC,  -1),  and  Delay  Change  #3  pushes  back  the  delays  on  some 
controls.  The  transition  now  has  the  five  controls  at  the  node  labeled  A  in  Figure  5. 


(UC,  0)  (-MDL1,  0)  (-MDL2,  0)  (-MDL3,  0) 

aI(4) 

(-UC,  [-00.  -1])  (-MDL1,  [-00,  0])  (-MDL2,  [-00,  0])  (nMDL3,  [-00,  0])  (tis,  0) 

_ 

add  (-DN,  -1!)  (IC,  -1)  add  (-DN,  -1)  (IC,  -1!) 

|  (13)  | 

add  (t2,  -1)  (DN  -2)  (GUT,  -2)  (IC,  -2)  add  (t5,  -1)  (NC,  [-302,  -2]) 

(-GUT,  <-302,  -252>)  (-PC,  [-302,  -2]) 

add  - - add''  add  (GUF-  <'302-  -252>),  (GUF,  [-251,  -1]) 

(GUT,  -2!)  (IC,  -2!)  (DN,  -2!) 


(7) 


violates 
1 -invariance 


(1) 


(7) 


subsumed  by 
node  D 


(9) 


add  add 

(GUT,  -3)  (-GUT,  -3) 

contradictions  or 
1-invariance  violations 

after  split  1-invariance  violations 

(GUT,  [-303,  -3])  vs.  after  split 

(-GUT,  <-303,  -3>)  (PC,  -2)  vs.  (-PC,  -2) 


add  add  add  add 

(DN,  -251)  (MU,  -251)  (UP,  -251)  (MD,  -251) 

(4)  (13)l 


violates 
1 -invariance 


(10) 


contradictions  or 
1-invariance  violations 
after  split 

(MD,  [-249,  -200])  vs. 


(-MD,  <-249,  -200>) 

Figure  5.  Outline  of  Transformational  Proof  for  Railroad-Crossing  Safety  Property 


From  node  A,  Control  Addition  #\  supplies  controls  required  for  tis  to  have  fired,  and  Delay 
Sharpening  is  applied  to  those  new  controls.  At  this  point,  the  first  main  branching  in  the 
proof  occurs  (nodes  B  and  C  in  Figure  5). 

The  transition  at  node  C  is  later  split  into  four  main  cases  (using  successive  Case  Split  #l’s), 
one  of  which  has  the  control  (DN,  -251)  added  to  it  (node  E  in  Figure  5).  From  this  point, 
Control  Addition  #3  adds  the  control  (-DN,  <-250,  -!>!),  since  (-DN,  -1)  is  already  present; 
then  Case  Split  #3  adds  (t2,  <-250,  -1>),  which  is  the  only  way  DN  can  become  false;  then 
Control  Addition  #\  adds  (GUT,  <-251,  -2>),  which  is  necessary  for  t2  to  fire;  and  then 
Transition  Deletion  #4  eliminates  this  transition,  because  (GUT,  <-251,  -2>)  is  an  invariant 
conflict  with  the  preexisting  control  (GUF,  [-251,  -1]). 

There  is  much  repetition  in  this  proof.  For  example,  the  paths  from  node  F  and  G  in  Figure 
5  take  13  steps,  but  they  agree  on  their  final  11  steps  (same  transformations  involving  the 
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same  states  and  controls).  Moreover,  there  are  transformational  “cliches”  which  recur,  e.g., 
the  three-step  sequence  (1)  add  sometime-change  controls  X,  (2)  add  transition-based 
controls  Y  to  satisfy  X,  (3)  add  state-based  controls  Z  to  satisfy  Y.  Perhaps  such  cliches  can 
be  replaced  by  single,  high-level  transformations. 

A  total  of  104  transformations  are  applied  in  the  course  of  this  proof,  generating  a  tree  with 
eight  main  leaves  at  depths  ranging  from  19  to  35.  Each  leaf  represents  a  deleted  transition, 
and,  at  the  end  of  the  proof,  no  remaining  transition  has  System-Failure  as  a  consequent. 
By  Theorems  1  and  3,  then,  this  state  must  be  similarly  unreachable  in  the  original  machine, 
and  thus  the  corresponding  safety  property  holds,  i.e.,  if  all  specified  deadlines  are  met,  the 
train  will  never  be  in  the  crossing  unless  the  gate  is  down. 

6.  Summary  and  Conclusions 

A  new  formalization  was  presented  for  a  simple  class  of  HMS  machines  that  are  suitable  for 
specifying  complex  dynamic  systems  with  timing  constraints,  it  was  shown  how  system 
requirements  can  be  represented  within  such  an  HMS  machine,  thus  recasting  a  question  of 
logical  satisfaction  as  a  state  reachability  problem.  A  collection  of  consistent  and  complete 
correctness-preserving  transformations  was  given,  by  which  an  HMS  machine  structure  can 
be  modified  without  altering  important  aspects  of  its  behavior.  The  combination  of  require¬ 
ment  representation  and  structural  transformation  constitutes  a  proof  method  for  verifying 
that  a  system  specification  meets  its  safety  requirements,  including  those  involving  hard 
deadlines. 

Possible  extensions  of  this  work  include  (1)  discovery  of  more  powerful  (partial)  correct¬ 
ness-preserving  transformations,  (2)  definition  of  new  concepts  of  partial  behavioral 
equivalence,  (3)  consideration  of  other  classes  of  HMS  machines,  and  (4)  creation  of  a 
user-assisted  automated  system  for  applying  transformations  along  the  lines  of  an  interac¬ 
tive  theorem  prover  (e.g.,  [Pa-87]). 
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